Docker container, program run without root permission has no network access

  • I have numerous docker containers running all without issues, except for one which I had to do a workaround to get working.


    It appears all of my docker containers run the apps inside them under a root instance.


    The one container I'm having a problem with runs it's application (a node instance) as a non-root user. The problem is it doesn't have any network access. I tried to troubleshoot this by attaching to the shell session within the container and tried an nslookup which failed. Tried to run a ping but ping required root access (which was odd but whatever). I then closed the session and reattached to the shell as root and had no issues with nslookup or ping.


    I installed docker on an ubuntu VM, pulled the same image and copied the folder with all of the config files over to it, mapped the volumes, etc and ran the docker container and it had no problems at all running as the image was written.


    Back on OMV, I deleted the image, and using portainer I copied the dockerfile information but left out the following lines:
    RUN chown 1000:1000 -R /app
    USER node


    Ran the image, pointed the volumes the same as before, and it worked just fine.


    Do the same, but re-add those lines, and no network connectivity.


    Is there any specific reason why the docker install on OMV will deny network rights within a container when the program running in the container is run by a user other than root? I'm pretty sure I tried running the container as a different user and had the same issues.

  • Yup, I actually I have a user called dockeruser which is given rights to the docker group. All of my containers are created and run using this account and all seem to work fine. The only difference I notice is that this particular container does a chown 1000:1000 and then switches to user "node" within the container during runtime. I believe it's the only container I'm running that does something of the sort. Most of them you pass a UID/GID as an environment variable, although I'll still do the docker run as the dockeruser account.

  • If you stated the name and source of the docker image in use I must have missed it. If there is no documentation available for it, and you'd be surprised how often this is the case, then having difficulties wouldn't be surprising.

    --
    Google is your friend and Bob's your uncle!


    OMV AMD64 7.x on headless Chenbro NR12000 1U 1x 8m Quad Core E3-1220 3.1GHz 32GB ECC RAM.

Jetzt mitmachen!

Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!